spid 0.9.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9cccde8251b49654537f88e24704de56844883d61c3e2939edf7a7b05c277850
-  data.tar.gz: 703d39c5c631e0a988dc3b36969e1dff7aeeab8622e70a935b4c52486bd50568
+  metadata.gz: 960e16fa23660bf794d8569793c49f01671883612e6e96c56d9cc9ec7584c887
+  data.tar.gz: 18aa49e2bd0173eb7aaae0141fd199c73fc97f4f9538e04e998fd459f4406e1f
 SHA512:
-  metadata.gz: 9025d41fdf1de349f3bc3e595eeca6eab68d8be7d26c9026a5d8aa2544e50574a75151539ad6c30e67e9cb99ce5ed1c94c1d3f9b109814cd171faa23cfe9141e
-  data.tar.gz: 793b85a398c663be4c835ff76a4d420170f0d58e6a09bafccd98042d61cfa181718b74769f2443897f85ebef150be11b66b3f9ddc1ac6f26833ac8f14e6dffa9
+  metadata.gz: 294072c36735dd72f29e0b66a5d8df0118637079223faa7a9f8b71778cd2b871b639174267b775c6505d1723d1b5e4126b4e243941a6a6f9cecdf4a028c87394
+  data.tar.gz: 18525e552a24740ad2f51bc73f7d7e96c1f1ab583ea96372c04f6560a6df8efe7af2cb802b0631e68b61594e010f9c6790a40d8f0b17b5575207ce4fafe5bb83

data/.rubocop.yml

@@ -30,3 +30,5 @@ Style/EmptyMethod:
   EnforcedStyle: expanded
 Style/StringLiterals:
   EnforcedStyle: double_quotes
+Style/WordArray:
+  EnforcedStyle: brackets

data/CHANGELOG.md

@@ -1,6 +1,23 @@
 # Changelog
 
 ## [Unreleased]
+
+## [0.10.0] - 2018-08-02
+### Added
+- Handled Relay State in sso/slo responses
+- session["spid"] initialized
+- Configurable Bindings
+
+### Changed
+- Signature in url instead of in SAMLRequest body
+
+### Fixed
+- Metadata rack response body is now an array
+- Typo on authn context comparison value
+- AllowCreate is not expected in NameIDPolicy element
+- Redirects to idp will not cached anymore
+
+## [0.9.0] - 2018-07-31
 ### Added
 - Rack middleware that handles spid login requests
 - Rack middleware that handles spid logout requests
@@ -72,7 +89,9 @@
 - Coveralls Integration
 - Rubygems version badge in README
 
-[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.8.0...HEAD
+[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.10.0...HEAD
+[0.10.0]: https://github.com/italia/spid-ruby/compare/v0.9.0...v0.10.0
+[0.9.0]: https://github.com/italia/spid-ruby/compare/v0.8.0...v0.9.0
 [0.8.0]: https://github.com/italia/spid-ruby/compare/v0.7.0...v0.8.0
 [0.7.0]: https://github.com/italia/spid-ruby/compare/v0.6.0...v0.7.0
 [0.6.0]: https://github.com/italia/spid-ruby/compare/v0.5.0...v0.6.0

data/README.md

@@ -16,13 +16,14 @@ Ruby library for SPID authentication
 
 Add into your Gemfile
 
-```
+```ruby
 gem "ruby-saml",
   github: "davidlibrera/ruby-saml",
-  ref: "4204afc2439f712db8909bccfd8d6e15f9320c34"
+  ref: "571e280031883abe3aad7c5b856353f94354fd06"
 gem "spid"
 ```
 
+
 ## Features
 
 |<img src="https://github.com/italia/spid-graphics/blob/master/spid-logos/spid-logo-c-lb.png?raw=true" width="100" /><br />_Compliance with [SPID regulations](http://www.agid.gov.it/sites/default/files/circolari/spid-regole_tecniche_v1.pdf) (for Service Providers)_||

data/lib/spid/authn_request.rb

@@ -6,6 +6,9 @@ module Spid
   class AuthnRequest < ::OneLogin::RubySaml::Authrequest # :nodoc:
     def create_xml_document(settings)
       original_document = super(settings)
+      root = original_document.elements["//samlp:AuthnRequest"]
+      name_id_policy_element = root.add_element("samlp:NameIDPolicy")
+      name_id_policy_element.attributes["Format"] = format_transient
       issuer_element = original_document.elements["//saml:Issuer"]
       issuer_element.attributes["Format"] = format_entity
       issuer_element.attributes["NameQualifier"] = settings.issuer
@@ -14,6 +17,10 @@ module Spid
 
     private
 
+    def format_transient
+      "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    end
+
     def format_entity
       "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
     end

data/lib/spid/configuration.rb

@@ -14,21 +14,27 @@ module Spid
     attr_accessor :private_key
     attr_accessor :certificate
     attr_accessor :attribute_service_name
+    attr_accessor :default_relay_state_path
+    attr_accessor :acs_binding
+    attr_accessor :slo_binding
 
     # rubocop:disable Metrics/MethodLength
     def initialize
-      @idp_metadata_dir_path  = "idp_metadata"
-      @metadata_path          = "/spid/metadata"
-      @start_sso_path         = "/spid/login"
-      @start_slo_path         = "/spid/logout"
-      @acs_path               = "/spid/sso"
-      @slo_path               = "/spid/slo"
-      @digest_method          = Spid::SHA256
-      @signature_method       = Spid::RSA_SHA256
-      @attribute_service_name = attribute_service_name
-      @hostname               = nil
-      @private_key            = nil
-      @certificate            = nil
+      @idp_metadata_dir_path    = "idp_metadata"
+      @metadata_path            = "/spid/metadata"
+      @start_sso_path           = "/spid/login"
+      @start_slo_path           = "/spid/logout"
+      @acs_path                 = "/spid/sso"
+      @slo_path                 = "/spid/slo"
+      @digest_method            = Spid::SHA256
+      @signature_method         = Spid::RSA_SHA256
+      @attribute_service_name   = nil
+      @hostname                 = nil
+      @private_key              = nil
+      @certificate              = nil
+      @default_relay_state_path = "/"
+      @acs_binding              = Spid::BINDINGS_HTTP_POST
+      @slo_binding              = Spid::BINDINGS_HTTP_REDIRECT
     end
     # rubocop:enable Metrics/MethodLength
 

data/lib/spid/metadata.rb

@@ -17,7 +17,9 @@ module Spid
         private_key: private_key_content,
         certificate: certificate_content,
         assertion_consumer_service_url: assertion_consumer_service_url,
+        assertion_consumer_service_binding: Spid.configuration.acs_binding,
         single_logout_service_url: single_logout_service_url,
+        single_logout_service_binding: Spid.configuration.slo_binding,
         security: {
           authn_requests_signed:     true,
           logout_requests_signed:    false,

data/lib/spid/rack/login.rb

@@ -28,7 +28,7 @@ module Spid
 
         def response
           [
-            301,
+            302,
             { "Location" => sso_url },
             []
           ]
@@ -36,7 +36,8 @@ module Spid
 
         def sso_url
           Spid::Sso::Request.new(
-            idp_name: idp_name
+            idp_name: idp_name,
+            relay_state: relay_state
           ).to_saml
         end
 
@@ -49,6 +50,10 @@ module Spid
           request.path == Spid.configuration.start_sso_path
         end
 
+        def relay_state
+          request.params["relay_state"]
+        end
+
         def idp_name
           request.params["idp_name"]
         end

data/lib/spid/rack/logout.rb

@@ -28,7 +28,7 @@ module Spid
 
         def response
           [
-            301,
+            302,
             { "Location" => slo_url },
             []
           ]
@@ -37,6 +37,7 @@ module Spid
         def slo_url
           Spid::Slo::Request.new(
             idp_name: idp_name,
+            relay_state: relay_state,
             session_index: spid_session["session-index"]
           ).to_saml
         end
@@ -52,12 +53,11 @@ module Spid
         end
 
         def spid_session
-          rack_session["spid"] unless rack_session.nil?
+          request.session["spid"]
         end
 
-        def rack_session
-          return if request.has_header?("rack.session").nil?
-          request.get_header("rack.session")
+        def relay_state
+          request.params["relay_state"]
         end
 
         def idp_name

data/lib/spid/rack/metadata.rb

@@ -33,7 +33,7 @@ module Spid
           [
             200,
             { "Content-Type" => "application/xml" },
-            metadata.to_xml
+            [metadata.to_xml]
           ]
         end
 

data/lib/spid/rack/session.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Spid
+  class Rack
+    class Session # :nodoc:
+      attr_reader :app
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ::Rack::Request.new(env)
+        request.session["spid"] ||= {}
+        app.call(env)
+      end
+    end
+  end
+end

data/lib/spid/rack/slo.rb

@@ -11,8 +11,11 @@ module Spid
 
       def call(env)
         @slo = SloEnv.new(env)
-        env["rack.session"].delete("spid") if @slo.valid_request?
-        app.call(env)
+        if @slo.valid_request?
+          @slo.response
+        else
+          app.call(env)
+        end
       end
 
       class SloEnv # :nodoc:
@@ -24,9 +27,49 @@ module Spid
           @request = ::Rack::Request.new(env)
         end
 
-        def valid_request?
+        def clear_session
+          request.session["spid"] = {}
+        end
+
+        def response
+          clear_session
+          [
+            302,
+            { "Location" => relay_state },
+            []
+          ]
+        end
+
+        def relay_state
+          if !request.params["RelayState"].nil? &&
+             request.params["RelayState"] != ""
+            request.params["RelayState"]
+          else
+            Spid.configuration.default_relay_state_path
+          end
+        end
+
+        def valid_get?
+          request.get? &&
+            Spid.configuration.slo_binding == Spid::BINDINGS_HTTP_REDIRECT
+        end
+
+        def valid_post?
+          request.post? &&
+            Spid.configuration.slo_binding == Spid::BINDINGS_HTTP_POST
+        end
+
+        def valid_http_verb?
+          valid_post? || valid_get?
+        end
+
+        def valid_path?
           request.path == Spid.configuration.slo_path
         end
+
+        def valid_request?
+          valid_path? && valid_http_verb?
+        end
       end
     end
   end

data/lib/spid/rack/sso.rb

@@ -13,13 +13,10 @@ module Spid
         @sso = SsoEnv.new(env)
 
         if @sso.valid_request?
-          response = @sso.sso_response
-          env["rack.session"]["spid"] = {
-            "attributes" => response.attributes,
-            "session_index" => response.session_index
-          }
+          @sso.response
+        else
+          app.call(env)
         end
-        app.call(env)
       end
 
       class SsoEnv # :nodoc:
@@ -31,14 +28,57 @@ module Spid
           @request = ::Rack::Request.new(env)
         end
 
+        def store_session
+          request.session["spid"] = {
+            "attributes" => sso_response.attributes,
+            "session_index" => sso_response.session_index
+          }
+        end
+
+        def response
+          store_session
+          [
+            302,
+            { "Location" => relay_state },
+            []
+          ]
+        end
+
         def saml_response
           request.params["SAMLResponse"]
         end
 
-        def valid_request?
+        def relay_state
+          if !request.params["RelayState"].nil? &&
+             request.params["RelayState"] != ""
+            request.params["RelayState"]
+          else
+            Spid.configuration.default_relay_state_path
+          end
+        end
+
+        def valid_get?
+          request.get? &&
+            Spid.configuration.acs_binding == Spid::BINDINGS_HTTP_REDIRECT
+        end
+
+        def valid_post?
+          request.post? &&
+            Spid.configuration.acs_binding == Spid::BINDINGS_HTTP_POST
+        end
+
+        def valid_http_verb?
+          valid_get? || valid_post?
+        end
+
+        def valid_path?
           request.path == Spid.configuration.acs_path
         end
 
+        def valid_request?
+          valid_path? && valid_http_verb?
+        end
+
         def sso_response
           ::Spid::Sso::Response.new(body: saml_response)
         end

data/lib/spid/rack.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "rack/builder"
+require "spid/rack/session"
 require "spid/rack/login"
 require "spid/rack/logout"
 require "spid/rack/sso"
@@ -13,6 +14,7 @@ module Spid
 
     def initialize(app)
       @app = ::Rack::Builder.new do
+        use Spid::Rack::Session
         use Spid::Rack::Metadata
         use Spid::Rack::Login
         use Spid::Rack::Logout

data/lib/spid/service_provider.rb

@@ -62,7 +62,7 @@ module Spid
             certificate: certificate,
             security: {
               authn_requests_signed: true,
-              embed_sign: true,
+              embed_sign: false,
               digest_method: digest_method,
               signature_method: signature_method
             }
@@ -81,7 +81,7 @@ module Spid
             certificate: certificate,
             security: {
               logout_requests_signed: true,
-              embed_sign: true,
+              embed_sign: false,
               digest_method: digest_method,
               signature_method: signature_method
             }

data/lib/spid/slo/request.rb

@@ -8,14 +8,22 @@ module Spid
     class Request # :nodoc:
       attr_reader :idp_name
       attr_reader :session_index
+      attr_reader :relay_state
 
-      def initialize(idp_name:, session_index:)
+      def initialize(idp_name:, session_index:, relay_state: nil)
         @idp_name = idp_name
         @session_index = session_index
+        @relay_state =
+          begin
+            relay_state || Spid.configuration.default_relay_state_path
+          end
       end
 
       def to_saml
-        logout_request.create(saml_settings)
+        logout_request.create(
+          saml_settings,
+          "RelayState" => relay_state
+        )
       end
 
       def saml_settings

data/lib/spid/sso/request.rb

@@ -7,16 +7,29 @@ module Spid
   module Sso
     class Request # :nodoc:
       attr_reader :idp_name
+      attr_reader :relay_state
       attr_reader :authn_context
       attr_reader :authn_context_comparison
 
-      def initialize(idp_name:, authn_context: Spid::L1)
+      def initialize(
+            idp_name:,
+            relay_state: nil,
+            authn_context: nil
+          )
         @idp_name = idp_name
-        @authn_context = authn_context
+        @relay_state = relay_state
+        @authn_context = authn_context || Spid::L1
+        @relay_state =
+          begin
+            relay_state || Spid.configuration.default_relay_state_path
+          end
       end
 
       def to_saml
-        authn_request.create(saml_settings)
+        authn_request.create(
+          saml_settings,
+          "RelayState" => relay_state
+        )
       end
 
       def saml_settings

data/lib/spid/sso/settings.rb

@@ -40,7 +40,6 @@ module Spid
       def inner_sso_attributes
         {
           protocol_binding: protocol_binding_value,
-          name_identifier_format: name_identifier_format_value,
           authn_context: authn_context,
           authn_context_comparison: Spid::MINIMUM_COMPARISON
         }
@@ -58,10 +57,6 @@ module Spid
       def protocol_binding_value
         "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       end
-
-      def name_identifier_format_value
-        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
-      end
     end
   end
 end

data/lib/spid/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Spid
-  VERSION = "0.9.0"
+  VERSION = "0.10.0"
 end

data/lib/spid.rb

@@ -19,10 +19,13 @@ module Spid # :nodoc:
   class UnknownSignatureMethodError < StandardError; end
 
   EXACT_COMPARISON = :exact
-  MINIMUM_COMPARISON = :minumum
+  MINIMUM_COMPARISON = :minimum
   BETTER_COMPARISON = :better
   MAXIMUM_COMPARISON = :maximum
 
+  BINDINGS_HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+  BINDINGS_HTTP_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+
   COMPARISON_METHODS = [
     EXACT_COMPARISON,
     MINIMUM_COMPARISON,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spid
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.0
 platform: ruby
 authors:
 - David Librera
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-07-31 00:00:00.000000000 Z
+date: 2018-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -313,6 +313,7 @@ files:
 - lib/spid/rack/login.rb
 - lib/spid/rack/logout.rb
 - lib/spid/rack/metadata.rb
+- lib/spid/rack/session.rb
 - lib/spid/rack/slo.rb
 - lib/spid/rack/sso.rb
 - lib/spid/service_provider.rb